b" REVIEW OF THE SMALL BUSINESS\nADMINISTRATION\xe2\x80\x99S PROTECTION OF\n SENSITIVE AGENCY INFORMATION\n\n         Report Number: 07-13\n      Date Issued: February 9, 2007\n\x0c           U.S. Small Business Administration\n                                                                     Memorandum\n           Office of Inspector General\n\n    To:    Christine Liu                                                                        Date:    February 9, 2007\n           Chief Information Officer\n           Chief Privacy Officer\n\n  From:    /S/ Original Signed\n           Debra S. Ritt\n           Assistant Inspector General for Auditing\n\nSubject:   Advisory Memorandum Report on SBA\xe2\x80\x99s Protection of Sensitive Agency Information\n\n           Following numerous incidents involving the compromise or loss of sensitive\n           personal information, on June 23, 2006, the Office of Management and Budget\n           (OMB) issued Memorandum 06-16 Protection of Sensitive Agency Information, 1\n           requiring federal agencies to take certain actions to protect sensitive information\n           entrusted to them. These actions, which were to be implemented by August 7,\n           2006, included: (1) encrypting mobile computers and storage devices; (2)\n           implementing remote two-factor authentication for access to internal government\n           networks; (3) installing time-out features when logged into internal government\n           networks; and (4) maintaining logs of sensitive information stored on mobile\n           computers. The memorandum also directed the OIGs to review agency progress\n           in implementing safeguards.\n\n           As required, we evaluated SBA\xe2\x80\x99s progress in implementing actions directed by\n           OMB to protect sensitive agency information. We reviewed the Agency\xe2\x80\x99s policies\n           and procedures on information security and privacy, interviewed responsible\n           systems security personnel in the Office of Chief Information Officer, and\n\n           1\n               Sensitive information is any information, the loss, misuse, or unauthorized access to or modification of, which could\n               adversely affect the national interest or the conduct of Federal programs, or the privacy to which individuals are\n               entitled under section 552a of title 5, United States Code (the Privacy Act), but which has not been specifically\n               authorized under criteria established by an Executive Order or an Act of Congress to be kept secret in the interest of\n               national defense or foreign policy.\n\x0c                                                                                    2\n\n\nconducted a limited test of SBA\xe2\x80\x99s Virtual Private Network to determine the\nadequacy of user reauthenticaton requirements. Our evaluation was performed at\nSBA\xe2\x80\x99s headquarters during August and September 2006, and our report was issued\non September 22, 2006.\n\nSince that time we have performed additional work to assess the current status of\nSBA efforts. This report presents additional details supporting our earlier\nfindings, provides the status of SBA\xe2\x80\x99s data protection activities as of December 1,\n2006, and makes five recommendations to further strengthen safeguards to protect\nsensitive agency information.\n\nRESULTS IN BRIEF\n\nInformation Redacted [Exemption 2]\n\nSBA reviewed a draft of this report and concurred with the findings and\nrecommendations. SBA\xe2\x80\x99s full response is included in Appendix I of this report.\n\nFINDINGS\n\nSBA Has Not Encrypted Sensitive Data on Mobile Computers and\nDevices\nOMB Memorandum 06-16 requires encryption for all data on mobile\ncomputers/devices, which carry Agency data unless the data is determined to be\nnon-sensitive. However, as of August 7, 2006, SBA did not have a full inventory\nof information systems that contained personally identifiable information. At the\ntime of our review, SBA had adequately assessed 20 out of a potential 101\nsystems for sensitive information.\n\nInformation Redacted [Exemption 2]\n\nSBA Had Not Implemented a Remote Two-Factor Authentication for\nAccessing the Agency Network\nOMB Memorandum 06-16 requires that remote access to a network only be\nallowed when a device separate from the computer gaining access is used.\n\nInformation Redacted [Exemption 2]\n\x0c                                                                                      3\n\n\nSBA Does Not Have a \xe2\x80\x9cTime-Out\xe2\x80\x9d Function For Email Remote Access\nOMB requires that a \xe2\x80\x9ctime-out\xe2\x80\x9d function be employed for remote access and\nmobile devices that relies on user reauthentication after 30 minutes of inactivity.\n\nInformation Redacted [Exemption 2]\n\nLogs of Computer-Readable Data Extracts Are Not Maintained\nAs of August 7, 2006, SBA did not have logs of computer-readable data extracts\nfrom systems containing sensitive information. OMB Memorandum 06-16\nrequires Agencies to log all computer-readable data extracts from databases\nholding sensitive information and to verify that each extract including sensitive\ndata has been erased within 90 days, unless its use is still required. Our evaluation\ndisclosed that SBA did not have procedures to create such logs or procedures to\nensure the erasure of old unneeded data extracts.\n\nAs of December 1, 2006, SBA determined that some of its offices had created\ncomputer-readable data extracts of sensitive information used by employees and\ncontractors. Additionally, SBA is planning to write the necessary procedures to\nrequire that a record be maintained of data extracts from sensitive Agency\ndatabases and that those extracts are erased when they are no longer needed. Until\nSBA completes these activities, it will not have a record of the sensitive data\nstored in each of its systems needed to properly respond to incidents involving the\nloss or compromise of sensitive data.\n\nRECOMMENDATIONS\nWe recommend that the Chief Information Officer:\n\n1. Complete an inventory of information systems containing sensitive Agency\n   information.\n\n2. Information Redacted. [Exemption 2]\n\n3. Information Redacted. [Exemption 2]\n\n4. Information Redacted. [Exemption 2]\n\n5. Log all computer-readable data extracts from databases holding sensitive\n   information and verify that each extract including sensitive data has been\n   erased within 90 days unless further needed.\n\x0c                                                                              4\n\n\nAGENCY COMMENTS\nThe Agency provided written comments concurring with all findings and\nrecommendations in the draft report. SBA\xe2\x80\x99s comments are summarized in the\nResults in Brief section, and the full text of the comments can be found in\nAppendix I to this report.\n\x0c                                                                                  5\n\n\n\n\nAPPENDIX I. SCOPE AND METHODOLOGY\n\nAs required by OMB, we evaluated SBA\xe2\x80\x99s progress in implementing of\nMemorandum 06-16 as of August 7, 2006. We used a \xe2\x80\x9cdata collection\ninstrument\xe2\x80\x9d developed by the President\xe2\x80\x99s Council on Integrity and Efficiency to\nanswer specific questions regarding the implementation of Memorandum 06-16.\n\nWe also interviewed SBA's information systems security officer and other\npersonnel responsible for managing SBA\xe2\x80\x99s implementation of Memorandum 06-\n16 requirements. We examined SBA\xe2\x80\x99s policy and procedures relative to\ninformation security and privacy. We also conducted a functional test on SBA\xe2\x80\x99s\nVirtual Private Network (VPN) to determine whether it required user re-\nauthentication after 30 minutes of inactivity.\n\nOur initial evaluation was performed at SBA\xe2\x80\x99s headquarters office in Washington,\nD.C. during August and September 2006, and we submitted the completed data\ncollection instrument to the Office of Inspector General, Department of Education\non September 22, 2006. We obtained additional status updates regarding SBA\xe2\x80\x99s\nefforts in this area through December 1, 2006.\n\x0cAPPENDIX II. MANAGEMENT COMMENTS\n\n                     U.S. SMALL BUSINESS ADMINISTRATION\n                           WASHINGTON, DC 20416\n\n\n\n\nDate:   January 25, 2007\n\nTo:     Debra S. Ritt\n        Assistant Inspector General for Auditing\n\n        /S/ Original Signed\nFrom:   Christine H. Liu\n        Chief Information Officer\n        Chief Privacy Officer\n\nSubject: OCIO\xe2\x80\x99s Response to Draft Advisory Memorandum Report on SBA\xe2\x80\x99s\n         Protection of Sensitive Agency Information\n\n\n        Please find attached OCIO\xe2\x80\x99s response to the recommendations addressed in the\n\n        above report. If you require additional information, please contact me at (202)\n\n        205 [Exemption 2]\n\n\n\n        Attachment\n\n\n\n        cc: Jovita Carranza\n            Deputy Administrator\n\x0c                                                                          2\n\n\n  Response to Office of Inspector General\xe2\x80\x99s Audit Report on the\n   Review of the Small Business Administration\xe2\x80\x99s Protection of\n        Sensitive Agency Information (Project No. 6028):\nOIG\xe2\x80\x99s Recommendations\n\n1. Complete an inventory of information systems containing sensitive\n   Agency information. (Agree)\n   OCIO\xe2\x80\x99s Response: OCIO completed an inventory of the Agency\xe2\x80\x99s\n   major and minor information systems containing sensitive\n   information. Privacy Impact Assessments (PIAs) for the Agency\xe2\x80\x99s\n   major information systems will be completed 1/31/07 and PIAs for the\n   minor systems are scheduled for completion 2/28/07.\n\n2. Information Redacted. [Exemption 2]\n\n3. Information Redacted. [Exemption 2]\n\n4. Information Redacted. [Exemption 2]\n\n5. Log all computer-readable data extracts from databases holding\n   sensitive information and verify that each extract including\n   sensitive data has been erased within 90 days unless further\n   needed. (Agree)\n   OCIO\xe2\x80\x99s Response: SOP 90-47 \xe2\x80\x9cAutomated Information Security\n   Program\xe2\x80\x9d is currently under revision to address this recommendation.\n\x0cAPPENDIX III. REPORT DISTRIBUTION\n\n\nRecipient                                                                                         No. of Copies\n\nOffice of the Chief Financial Officer\nAttention: Jeffrey Brown.............................................................................. 1\n\nGeneral Counsel ............................................................................................ 3\n\nOffice of Management and Budget ............................................................... 1\n\nU.S. Government Accountability Office....................................................... 1\n\x0c"